Biometrics go mobile

Apple's foray into fingerprint scanners for the iPhone could make biometrics mainstream. (FCW image).

Using biometric identifiers for secure access to mobile devices is not new, but in most organizations it has been relegated to a marginal role at best.

The technology's status could be set for a fundamental change, however. Apple's new iPhone 5S, released in late September, comes with a built-in Touch ID fingerprint sensor. When the device's owner touches the smartphone's home button, the sensor reads the fingerprint and unlocks the phone. The feature can also be used to authorize iTunes store purchases.

Technology watchers contend that Apple's fingerprint foray, if successful, could take biometrics into the mainstream.

"That is a huge catalyst for the biometrics industry — as long as it works well and usability is good," said Jeff Scott, vice president of sales for North and South America atsecurity solutions providerPrecise Biometrics.

"The expectation is clear that biometrics will be getting a more prominent role in authentication in that [mobile] market," said Bojan Cukic, a professor in the computer science and electrical engineering department and co-director of the Center for Identification Technology Research at West Virginia University.

What's Next

Liveness detection. Biometrics can be fooled by photos (in the case of facial recognition) or gelatin casts (in the case of fingerprint scanning), but liveness detection can reduce the chances of biometric spoofing. Jesper Jurcenoks, director of security research at Critical Watch, said higher-quality fingerprint scanners now require the detection of a user's pulse through the finger before a device will open. He added that both iPhone and Android apps can detect a pulse by measuring the change in transparency of a finger as the user's heart beats. That detection is accomplished with a device's built-in camera, so adding such functionality to a fingerprint scanner should be relatively simple, Jurcenoks said.

Cukic said he and his colleagues at CITeR, a National Science Foundation Industry/University Cooperative Research Center, have seen an uptick in research and development efforts focused on using biometric technology for authenticating users on mobile platforms.

Why it matters

The technology's advocates argue that biometrics offer users an easier way to access mobile devices, and therefore, people are more likely to use it, which makes the devices more secure. Published reports suggest that fewer than half of iPhone users bother to set a four-digit pass code, and even then, codes can be forgotten, stolen or overcome via brute-force attacks.

Apple's video introducing Touch ID hails the fingerprint as one of the best passwords in the world because it stays with the person and no two are alike.

Perhaps of greater interest to enterprise security managers, biometric identifiers can provide an additional layer of authentication. Passwordsand PINs represent the baseline and are often augmented with secure tokens, such as smart cards. Biometric technology offers another authentication factor.

Adeeb Parkar, security engineer for 2020 census operations at the Census Bureau, said the government is always concerned about two-factor authentication. He said agencies should start with the biometric tools built into commercially available mobile devices.

"If a consumer device comes ready-made with this capability, it would behoove anyone to leverage that one piece as part of the authentication process," Parkar said.

If the technology becomes prevalent on consumer devices, agencies might end up relying more heavily on biometrics, he said, citing the importance of taking advantage of built-in technology versus paying for a separate authentication factor.

The bureau might put that notion into practice with the 2020 census. Officials will consider using commercial devices for collecting data in the field, Parkar said, and if those devices are equipped with biometrics, "we will definitely evaluate that for the authentication process to the device."

What's Next

Continual authentication. A smartphone or tablet can fall into the wrong hands after a user has authenticated and unlocked the device, so how can the device "know" whether an unauthorized person is using it? Bojan Cukic, co-director of the Center for Identification Technology Research at West Virginia University, said secondary characteristics — such as the gestures a person uses to perform operations or type on a virtual keyboard — can provide continual authentication. The approach is still largely in the research and development phase, but some products with that capability are now hitting the market, he added.

However, he added that the bureau must assess the emerging crop of consumer devices — and their security capabilities — within the context of federal guidelines and standards.

The fundamentals

Examples of human characteristics that can prove identity include fingerprints, facial features and iris patterns. Biometric systems capture an image of a particular feature and store its unique characteristics as a mathematical template. A matching algorithm compares the stored template with subsequent image captures of the user's fingerprint, face, iris or other feature.

In government circles, law enforcement agencies have historically been strong users of biometrics. The FBI's Integrated Automated Fingerprint Identification System, which the agency describes as the world's largest biometric database, debuted in 1999.

Using biometric technology to secure mobile devices also has some history behind it. HP's iPAQ personal digital assistants had built-in biometric security in the early 2000s. Fingerprint readers arrived on laptops around the same time.

But biometric technology has not exactly captured the imaginations of mobile device users. Jesper Jurcenoks, director of security research at Critical Watch, said many of them were disappointed when the technology failed to live up to expectations.

"Biometric authentication is often promoted as the cure-all, which it certainly is not," he said.

The technology can also prove difficult to use. Jurcenoks cited his own experience: When he bought a laptop equipped with a built-in fingerprint scanner a couple of years ago, he found that the feature interfered with the other applications on the laptop.

He said people ended up hating biometrics so much that they avoided using the technology. That sentiment, however, is beginning to change.

"Biometrics is slowly coming out of the trough of disillusionment in the hype cycle," Jurcenoks said. "We are getting to the point where we are ready to re-evaluate it and use it where it makes sense."

The hurdles

Even people who are willing to adopt biometrics have not encountered many examples of it on widely used devices. Other potential mobile device authentication tools, such as the Defense Department's Common Access Card (CAC) and other federal personal identity verification (PIV) cards, have faced similar limitations. Indeed, mobile devices with built-in smart card readers have been as rare as devices with built-in biometric scanners.

What's Next

Clearly defined policies. Federal IT security policies can take a while to emerge. For that reason, Melissa Adamson, vice president for advanced technologies at Agilex, said she believes mobile policy development could prove to be the biggest barrier to widespread acceptance of biometric device authentication. Ideally, key players such as the National Institute of Standards and Technology, the Office of Management and Budget, the National Security Agency and industry would work together to create processes and policies that allow for more rapid innovation while still embracing the necessary security guidelines.

"Mobile technology is advancing so rapidly," Adamson said. "The technology is there. The thing that puts the government behind is the policies."

Nevertheless, a biometric shift is in the offing, with experts saying Apple's iPhone fingerprint scanner could trigger a wave of emulation from other device makers.

Terry Hartmann, vice president of security solutions and industry applications at Unisys, said any company that comes out with a new feature that has clear user benefits can expect competitors to replicate that feature within 12 months. The same pattern will likely happen with smartphones and biometrics.

"Once it becomes accepted on a device, it will become ubiquitous," Hartmann said.

On the tablet side, some Windows 8 machines already ship with built-in smart-card readers, said Melissa Adamson, vice president for advanced technologies at Agilex, a solution provider with an enterprise mobility practice.

Precise Biometrics, meanwhile, offers a casing for iPhones and iPads that provides a smart card reader and a fingerprint scanner. The company's Tactivo casing supports CAC, PIV and other smart cards. The company also offers dongle products for iOS and Android that read smart cards. Scott said those products are geared toward people who only use the cards occasionally.

"We're seeding the units all over the place for pilots and demos," Scott said.

The Defense Information Systems Agency, meanwhile, has issued a solicitation for CAC-enabled virtual thin-client solutions for managed and unmanaged mobile devices. DISA is seeking solutions that will let employees securely use personal or government-issued devices to access information or applications on DOD networks, said Mark Orndorff, program executive officer for mission assurance at DISA.

Smart cards and biometrics could also converge elsewhere in the government sector. The Department of Homeland Security, for instance, plans to add biometrics to its smart-card identification system.

But agencies have considerations beyond supply, including the level of security a particular type of biometric identifier offers.

Like other security measures, most biometric identifiers can be bypassed, Jurcenoks said. When they are used to replace an authentication factor such as a four-digit PIN, they can actually lead to lower security, he added.

Jurcenoks cited facial recognition as one example of a biometric that is easy to bypass. A smartphone compares a photo of the user stored on the phone with the user's face as he or she looks into the phone's front-facing camera. But a photograph of the user held in front of the phone's camera might also unlock the device.

If facial recognition replaces a PIN, "we go to a less secure version of one-factor authentication," Jurcenoks said.

David Shepherd, a senior consultant at government consulting firmLMI, said another issue with biometrics is determining a fallback position if the method doesn't work. An injury to a finger, for example, could temporarily change its print and render the biometric approach unworkable.

"What is the fail-safe if that happens and how vulnerable is the fail-safe to attack?" Shepherd asked.

Government and industry sources, however, said biometrics would not be likely to serve as the sole authentication factor in an enterprise deployment.

"We don't foresee us using biometrics as...a single method," Parkar said. Instead, the Census Bureau would supplement biometrics with another authentication factor to hedge its bets.